A serious vulnerability in the Red Hat OpenShift AI service (RHOAI) enables attackers with minimal access to escalate privileges and take control of entire clusters.
Identified as CVE-2025-10725, the flaw resides in an overly permissive ClusterRole assignment.
A low-privileged user, such as a data scientist with a standard Jupyter notebook account, can exploit this weakness to gain full cluster administrator rights.
Once elevated, the attacker can steal sensitive data, disrupt services, and control the underlying infrastructure, leading to a complete breach of both the platform and hosted applications.
| CVE ID | Affected Component | CVSS v3.1 Score (Red Hat) |
| CVE-2025-10725 | Red Hat OpenShift AI Service (rhoai/odh-rhel8-operator, rhoai/odh-rhel9-operator) | 9.9 (Important) |
The vulnerability stems from a ClusterRoleBinding that links the built-in system:authenticated group to the kueue-batch-user-role.
This grants any authenticated user broad job-creation rights across the cluster. By abusing this permission, an attacker can create malicious jobs that run with elevated privileges, effectively hijacking the cluster control plane.
Red Hat rates this flaw as Important rather than Critical, because it requires an authenticated account to succeed.
However, real-world risk is significant: many organizations grant broad rights to data scientists or analysts who may not require cluster-wide job creation.
An attacker in this role can move laterally, gain persistent control, and manipulate sensitive workloads.
To mitigate the issue, administrators should immediately remove the offending ClusterRoleBinding. Instead of granting wide permissions to all authenticated users, adopt least-privilege principles:
- Revoke the ClusterRoleBinding associating kueue-batch-user-role with system:authenticated.
- Assign job-creation privileges only to specific users or groups that need it.
- Review other ClusterRoleBindings to ensure no other overly broad assignments exist.
These steps limit the risk exposure and reduce the attack surface by restricting administrative capabilities to trusted identities.
CVE-2025-10725 is formally documented on both the CVE website and the NVD. Red Hat remains the authoritative source for product-specific impact ratings and remediation guidance.
This vulnerability serves as a reminder of the dangers posed by overly permissive roles in Kubernetes environments.
Security teams should audit role and binding assignments regularly, align permissions with actual job requirements, and enforce strict separation between development, analytics, and administrative duties.
Proactive cluster governance and vigilant permission management are key to preventing privilege escalation and ensuring the integrity of AI-powered platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
